Is there an alternatives to fail2ban?

As title,

I always used fail2ban with my CentOS box but now with CentOS 6 I'm not able to get it to work again.

Service starts without error, all is configured ok, no error on logs but fail2ban doesn't ban anyone on my box.

Is there an alternative software to fail2ban with similar functionalities?

I need to ban IP that fails auth on squirrelmail (I have installed squirrel_logger), on php, on apache and on phpmyadmin, ah and dovecot.

15 Replies

it seems that fail2ban doesn't work with python 2.6 except for ssh…

its really sad to see a good software like this to fail in this way.

Four years without any new features, three years without a decent fix to major problem, two years and no fix to phyton compatibility problems, board is full of spam without any moderation.

Its a dead software but I don't see any alternatives.

The only one could be denyhosts but it isn't an alternatives, at all, since it only protect the ssh port.

Looks like Python 2.6 should work with the latest version of Fail2ban:

http://www.fail2ban.org/wiki/index.php/ … d_older.29">http://www.fail2ban.org/wiki/index.php/Fail2ban:CommunityPortal#Python2.6support.28relevantonlyfor0.8.3and_older.29

I know on Debian 6.0, fail2ban works just fine with python 2.6.6

@waldo:

Looks like Python 2.6 should work with the latest version of Fail2ban:

http://www.fail2ban.org/wiki/index.php/ … d_older.29">http://www.fail2ban.org/wiki/index.php/Fail2ban:CommunityPortal#Python2.6support.28relevantonlyfor0.8.3and_older.29

I know on Debian 6.0, fail2ban works just fine with python 2.6.6

On the net I find only complaints about fail2ban and Python 2.6, the only regexpr that works ok is the one for SSH.

Probably the debian you are talking about uses only ssh protection.

That's primarily all I use it for, but as far as I can tell, the Debian guys have filters for apache, courier, exmin, gssftpd, lighttpd, pam, postfix, pure-ftpd, gmail, sasl, sieve, sshd-ddos, sshd, vsftpd, webmin-auth, wuftpd, xinetd and a few others.

Seeing how fail2ban, python 2.6 and all just worked right out of the box for me on Debian, I'm assuming the others work just fine.

@waldo:

That's primarily all I use it for, but as far as I can tell, the Debian guys have filters for apache, courier, exmin, gssftpd, lighttpd, pam, postfix, pure-ftpd, gmail, sasl, sieve, sshd-ddos, sshd, vsftpd, webmin-auth, wuftpd, xinetd and a few others.

Seeing how fail2ban, python 2.6 and all just worked right out of the box for me on Debian, I'm assuming the others work just fine.

can you give me some output of fail2ban-regexpr with some of your filter.d/files ?

Sure:

If you download:

http://ftp.de.debian.org/debian/pool/ma … rig.tar.gz">http://ftp.de.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.8.4.orig.tar.gz

from:

http://packages.debian.org/squeeze/fail2ban

Then dig into config/filter.d those are the same files I'm using. From what I can tell, it appears the Debian maintainer has modified the following files in the package:

action.d/iptables-multiport.conf

action.d/iptables-new.conf

action.d/mail-whois-lines.conf

action.d/iptables-all-ports.conf

jail.conf

filter.d/apache-nohome.conf

filter.d/named-refused.conf

filter.d/apache-badbots.conf

filter.d/proftpd.conf

filter.d/pure-ftpd.conf

filter.d/wuftpd.conf

filter.d/common.conf

filter.d/ssdh-ddos.conf

filter.d/pam-generic.conf

filter.d/sasl.conf

in my case

regexpr are correct (checked with regexpr calculator for python), fail2ban is well configured and it doesn't match anything.

I have founded dozens of other users with my same problem on the net, it could be interesting to see how debian modified that files to make it work.

in any case this is a dead software since many years, its best to find a new one but the problem is that I cannot find an alternatives.

Why do you say it's dead? Because it's not in constant development with regular releases?

Sure the last release was 2 years ago:

http://www.fail2ban.org/wiki/index.php/Main_Page

Perhaps it's mature and because of it's very nature doesn't need to be constantly updated. It just reads log files and runs some external commands (usually to make changes to standard firewalls, like iptables). You do have a firewall installed, right?

If you've installed fail2ban from the Centos repository and it's not working, sounds like they broke something, or the package maintainer never tested….

This is the only browsable repo I can find for Centos:

http://pkgs.repoforge.org/fail2ban/

Looks like the newest version of fail2ban available from the Centos repos is quite old

Though Fedora is current:

http://download.fedora.redhat.com/pub/e … l2ban.html">http://download.fedora.redhat.com/pub/epel/6/x86_64/repoview/fail2ban.html

I'd check to see what version of fail2ban got installed on your server.

@waldo:

Why do you say it's dead? Because it's not in constant development with regular releases?

Sure the last release was 2 years ago:

http://www.fail2ban.org/wiki/index.php/Main_Page

Perhaps it's mature and because of it's very nature doesn't need to be constantly updated. It just reads log files and runs some external commands (usually to make changes to standard firewalls, like iptables). You do have a firewall installed, right?

If you've installed fail2ban from the Centos repository and it's not working, sounds like they broke something, or the package maintainer never tested….

This is the only browsable repo I can find for Centos:

http://pkgs.repoforge.org/fail2ban/

Looks like the newest version of fail2ban available from the Centos repos is quite old

Though Fedora is current:

http://download.fedora.redhat.com/pub/e … l2ban.html">http://download.fedora.redhat.com/pub/epel/6/x86_64/repoview/fail2ban.html

I'd check to see what version of fail2ban got installed on your server.

I'm using the latest 0.8.4 from fedora epel

There's always the LFD component of CSF:

http://www.configserver.com/cp/csf.html

My personal favorite. And yes, it can do squirrelmail as I wrote a rule for it some time ago.

I solved the problem with fail2ban, there was a date problem.

I solved by editing:

/etc/fail2ban/filter.d/common.conf

and changing

prefixline = \s(?:\S+ )?(?:@vserver\S+ )?%(daemoncombsre)s?\s

with this:

_prefixline = .*?

@haus:

There's always the LFD component of CSF:

http://www.configserver.com/cp/csf.html

My personal favorite. And yes, it can do squirrelmail as I wrote a rule for it some time ago.

Agreed, I love CSF/LFD.

CSF + LFD work very well and are easily configured via their webmin module, would also highly reccomend it :D

fail2ban-regex is a command line utility to test your filters against a log file.

man fail2ban-regex for usage.

Recent versions of ufw (in Ubuntu, and Debian 6) have rate limiting features.

sudo ufw limit ssh

It even works for rating limiting smtp or pop/imap logins, which are the new attack vector of brute forcing. (Or port 80, or whatever you want.)

stmiller@li166-66:~$ sudo ufw status
[sudo] password for stmiller: 
Status: active

To                         Action      From
--                         ------      ----
22                         LIMIT       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
993                        LIMIT       Anywhere
465                        LIMIT       Anywhere
25                         LIMIT       Anywhere

By default this will deny connections of an IP if 6 or more logins are attempted in the last 30 seconds. Though you can customize as desired.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct